WordPress

Vulnerability in the WordPress Ultimate Member Plugin

Photo of SEO SEO Send an email September 30, 2024
0 8 2 minutes read

Today it was announced that “critical and severe vulnerabilities” affecting a WordPress community building plugin called Ultimate Member have been patched. These vulnerabilities are easy to exploit and can give attackers administrator-level access, allowing them to do whatever they want on the site.

This is how Wordfence describes the seriousness of this exploit:

“This vulnerability is considered very critical as it makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator. Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware.”

Ultimate Member WordPress Plugin

The Ultimate Member WordPress plugin is a community building tool that allows WordPress publishers to enable readers to become members. These members can receive various levels of access and interact with each other socially.

It’s also a solution that can be used to restrict access to content to registered users only and to grant various membership privileges, such as publishing to the site.

Ultimate Member Vulnerability

There are three exploitable vectors in the plugin, all of which are privilege escalation exploits. A privilege escalation exploit allows an attacker to increase their user privileges.

For example, if someone is registered on a site as a subscriber, they can read articles and comment on them. But with an exploit, they can elevate their site privileges from subscriber to administrator, granting themselves the ability to do whatever they want on the site.

An authenticated privilege escalation exploit requires some kind of authentication, like a subscriber role. An unauthenticated privilege escalation exploit doesn’t even require the person to be a registered user.

The vulnerability affecting the Ultimate Member plugin involved two unauthenticated exploits and one authenticated exploit.

The authenticated privilege escalation exploit allows a registered user to upgrade their privileges. The unauthenticated privilege escalation exploit allows an attacker to use the registration form as an attack vector.

These exploits are serious and are rated critical and severe.

Here’s how Wordfence describes it:

“…this vulnerability is considered critical as it allows originally unauthenticated users to escalate their privileges with some conditions. Once an attacker has elevated access to a WordPress site, they can potentially take over the entire site and further infect it with malware.”

Update Immediately

It is recommended that users update immediately to Ultimate Member WordPress plugin version 2.1.12. This version contains a patch that fixes the vulnerability.

Citation

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

Photo of SEO SEO Send an email September 30, 2024
0 8 2 minutes read
Photo of SEO

SEO

Related Articles

Matt Mullenweg Accuses WP Engine of Trying to Curtail His Free Speech Amid Dispute

October 21, 2024

WordPress Announces New Executive Director

October 9, 2024

Executive Director of WordPress Steps Down

October 5, 2024

8% of Automattic’s Employees Choose to Resign

October 5, 2024
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button